Skip to content

Instantly share code, notes, and snippets.

@wiggitywhitney

wiggitywhitney/athenz-service-identity.md

Last active February 26, 2026 20:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save wiggitywhitney/7b23e6ef9ef81be1133887b7e9d7952a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save wiggitywhitney/7b23e6ef9ef81be1133887b7e9d7952a to your computer and use it in GitHub Desktop.
Download ZIP
How Yahoo Secures Billions of Requests with Zero Trust (Athenz Explained)
Raw
athenz-service-identity.md

How Yahoo Secures Billions of Requests with Zero Trust (Athenz Explained)

Associated Thunder episode: How Yahoo Secures Billions of Requests with Zero Trust (Athenz Explained)

Athenz Explained

Before Athenz...

Changes happening in security:

  • TCP → TLS → mTLS
  • HTTP → HTTPS
  • Problem of humans interacting with systems was solved
  • What about service identity?

Services running everywhere — How to authenticate services across clouds and on prem?

Athenz uses X.509 certs for identity and mutual TLS (mTLS):

  • Private keys generated by workloads themselves
  • Athenz can act as a CA

What is Athenz?

Athenz is a set of services that:

  • Provides service authentication (authn) by issuing identities to all registered services (identity = X.509 certs)
  • Provides a role-based authorization (authz) system for services

Authn + Authz = Athenz

The Authentication Part: How Do We Give Identities?

Multi-tenancy, multi-environment STRUCTURE:

  • A DOMAIN is an Athenz construct that provides a way to isolate products from one another (like a namespace). Athenz is designed to run as one instance per company.
  • A SUBDOMAIN isolates envs within a domain (there can be multiple resolutions)
  • A service is within a subdomain

The Process:

  1. The workload is created
  2. Athenz agent launches alongside workload
  3. The agent:
    • Generates a private key
    • Collects attestation data
    • Generates a CSR
    • Submits all of this to Athenz server

MAKE SURE YOUR CA PRIVATE KEY IS WILDLY SAFE SAFE SAFE SAFE.

  1. The Athenz Server (ZTS):
    • Has the concept of "providers" — provider could be AWS, K8s, GCP
    • Validates:
      • That the service is registered with the right provider
      • Talks to provider, shows attestation data, provider confirms that it is true
    • Receives "validation successful"
    • Acts as CA and signs CSR

CERTIFICATE IS ISSUED!

What If the System Is Compromised? Revocation.

  • Every workload has a unique ID
  • Every X.509 certificate IDs its workload
  • This helps to know which service is compromised

DON'T REVOKE, INSTEAD USE SHORT-LIVED CERTIFICATES. If a service is compromised, don't renew your certificate. You can configure how long it lives per service.

Certificate Refreshing:

  • Each X.509 cert has a serial number that is evaluated and changes per refresh
  • Each refresh = one unique cert

Authorization: Role-Based

ROLE — ACTION — RESOURCE

Anyone who has this role is allowed to do this action on this resource. Can add time limits.

Athenz only owns the role. It issues access tokens to services.

The admin adds the action and resource. All based on standard OAuth2 access token.

Athenz services' certificate to further validate their access token — prevents REPLAY ATTACKS.

"mTLS-bound access tokens" — this is an industry standardization.

Athenz Supports SPIFFE's SVIDs

The Future

  • Integration with cert-manager to eliminate the need of an Athenz agent sidecar per workload (Update: Now available)
  • Integrate GitHub Actions as a provider (Update: Now available)
  • Standardize on using OpenTelemetry for observability
  • Microsegmentation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment